http 1.1 authorization header is sent to every resource under a given domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

 

I have a problem and I’m hoping someone can point me in the right direction.

 

I am encountering a situation whereby an HTTP 1.1 authorization header is sent to every resource under a given domain even though the initial 401 Authentication response by which the authorization information is requested contains a realm associated with a specific resource on the server.

 

I understand from the HTTP 1.1 spec that a browser can pre-emptively send the Authorization header to a resource for which it already has authenticated.

 

‘A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server.‘  http://www.ietf.org/rfc/rfc2617.txt

 

However, it would appear the browser is pre-empting every resource under the domain with the Authorization header.

 

I have experienced this behaviour for the domain and resources in question whilst using Opera 11.1, IE[7,8], Firefox 3.x which leaves me feeling confident (although not 100%) this is not a browser bug.

 

It is worth mentioning that the server presents the resource associated with the realm in question as virtual managed by the 'Alias' directive under Apache 2.0 thus for protected resource '/x' the apache configuration is:

 

Alias /x "/absolute/linux/filesystem/path"

 

<Directory "/absolute/linux/filesystem/path">

...

AuthName     "y"

AuthType Basic

...

</Directory>

 

I have one completely unsupported theory where the issue is related to the fact that '/x' is presented by apache as a virtual resource. I wonder if somehow this ends up mapping the realm to '/' instead of '/x'. I draw this conclusion from the fact that the browser is pre-empting the Authorization header to every resource.

 

I would be grateful if someone could point me in the right direction as it's likely I have something incorrectly configured in my setup.

 

In the interests of brevity I have omitted certain information (e.g. module versions et al) if required please ask and I will be more than happy to provide.

 

Thanks for reading.

 

Chris

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux